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1 Introduction 



Substitution is the eminence grise of the A-calculus. The classical /? rule, 

(\x.a)b ->p a{b/x} 

uses substitution crucially though informally. Here a and b denote two 
terms, and a{b/x) represents the term a where all free occurrences of x are 
replaced with b. This substitution does not belong in the calculus proper, 
but rather in an informal meta-level. Similar situations arise in dealing with 
all binding constructs, from universal quantifiers to type abstractions. 

A naive reading of the 0 rule suggests that the substitution of b for 
x should happen at once, when the rule is applied. In implementations, 
substitutions invariably happen in a more controlled way. This is due to 
practical considerations, relevant in the implementation of both logics and 
programming languages. The term a{b/x} may contain many copies of b 
(for instance, if a = xxxx); without sophisticated structure-sharing mecha- 
nisms [15], performing substitutions immediately causes a size explosion. 

Therefore, in practice, substitutions are delayed and explicitly recorded; 
the application of substitutions is independent, and not coupled with the 
(3 rule. The correspondence between the theory and its implementations 
becomes highly nontrivial, and the correctness of the implementations can 
be compromised. 

In this paper we study the Ac-calculus, a refinement of the A-calculus [1] 
where substitutions are manipulated explicitly. Substitutions have syntactic 
representations, and if a is a term and s is a substitution then the term a[s] 
represents a with the substitution s. We can now express a /? rule with 
delayed substitution, called Beta: 

(Xx.a)b — y Beta a[(b/x) ■ id] 

where (b/x) • id is syntax for the substitution that replaces x with b and 
affects no other variable ("•" represents extension and id the identity substi- 
tution). Of course, additional rules are needed to distribute the substitution 
later on. 

The A<7-calculus is a suitable setting for studying the theory of substi- 
tutions, where we can express and prove desirable mathematical properties. 
For example, the calculus is Church- Rosser and is a conservative extension 
of the A-calculus. Moreover, the A<r-calculus is strongly connected with the 
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categorical understanding of the A-calculus, where a substitution is inter- 
preted as a composition [5]. 

We propose the Acx-calculus as a step in closing the gap between the 
classical A-calculus and concrete implementations. The calculus is a vehi- 
cle in designing, understanding, verifying, and comparing implementations 
of the A-calculus, from interpreters to machines. Other applications are 
in the analysis of typechecking algorithms for higher-order languages and, 
potentially, in the mechanization of logical systems. 

When one considers weak reduction strategies, the treatment of substi- 
tutions can remain quite simple — and then our approach may seem overly 
general. Weak reduction strategies do not compute in the scope of A's. 
Then, there arise neither nested substitutions nor substitutions in the scope 
of A's. All substitutions are at the top level, as simple environments. An 
ancestor of the Acr-calculus, the Ap-calculus, suffices in this setting [5]. 

However, strong reduction strategies are useful in general, both in log- 
ics and in the typechecking of higher-order programming languages. In fact, 
strong reduction strategies are useful in all situations where symbolic match- 
ing has to be conducted in the scope of binders. Thus, a general treatment 
of substitutions is required, where substitutions may occur at the top level 
and deep inside terms. 

In some respects, the Acr-calculus resembles the calculi of combinators, 
including those of categorical combinators [4]. The Acr-calculus and the 
combinator calculi all give full formal accounts of the process of computation, 
without suffering from unpleasant complications in the (informal) handling 
of variables. They all make it easy to derive machines for the A-calculus 
and to show the correctness of these machines. From our perspective, the 
advantage of the Acr-calculus over combinator calculi is that it remains closer 
to the original A-calculus. 

There are actually several versions of the calculus of substitutions. We 
start out by discussing an untyped calculus. The main value of the untyped 
calculus is for studying evaluation methods. We give reduction rules that 
extend those of the classical A-calculus and investigate their confluence. We 
concentrate on a presentation that relies on De Bruijn's numbering for vari- 
ables [2], and briefly discuss presentations with more traditional variable 
names. 

Then we proceed to consider typed calculi of substitutions, in De Bruijn 
notation. We discuss typing rules for a first-order system and for a higher- 
order system; we prove some of their central properties. The typing rules 
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are meant to serve in designing typechecking algorithms. In particular, their 
study has been of help for both soundness and efficiency in the design of the 
Quest typechecking algorithm [3]. 

We postpone discussion of the untyped calculi to section 3 and of the 
typed calculi to sections 4 and 5. We now proceed with a general technical 
overview. 

2 Overview 

The technical details of the Aa-calculus can be quite intricate, and hence a 
gentle informal introduction seems in order. We start with a brief review of 
De Bruijn notation, since most of our calculi rely on it. Then we preview 
untyped, first-order, and second-order calculi of substitutions. 

2.1 De Bruijn notation 

In De Bruijn notation, variable occurrences are replaced with positive in- 
tegers (called De Bruijn indices); binding occurrences of variables become 
unnecessary. The positive integer n refers to the variable bound by the n-th 
surrounding A binder, for example: 

Xx.Xy.xy becomes AA2 1 

In first-order typed systems, the binder types must be preserved, for exam- 
ple: 

XxiA.Xy.B.xy becomes XA.XB. 2 1 

In second-order systems, type variables too are replaced with De Bruijn 
indices: 

AA.XxiA.x becomes AAl.l 

Although De Bruijn notation is unreadable, it leads to simple formal sys- 
tems. Therefore, we use indices in inference rules, but variable names in 
examples. 

Classical f3 reduction and substitution must be adapted for De Bruijn 
notation. In order to reduce (Xa)b, it does not suffice to substitute b into 
a in the appropriate places. If there are occurrences of 2, 3, 4, ... in a, 
these become "one off," since one of the A binders surrounding a has been 
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removed. Hence, all the remaining free indices in a must be decremented; 
the desired effect is obtained with an infinite substitution: 

(Xx.a)b — £ a{b/x} becomes {Xa)b -+p o{6/l, 1/2, 2/3, . . .} 

When pushing this substitution inside a, we may come across a A term 
(Ac){6/1, 1/2,2/3,...}. In this case, we must be careful to avoid replacing 
the occurrences of 1 in c with b, since these occurrences correspond to a 
bound variable and the substitution should not affect them. Hence, we 
must "shift" the substitution. Thus, we may try: 

(Ac){6/1, 1/2, 2/3, . . .} I Ac{l/1, 6/2, 2/3, 3/4, . . .} 

But this is not yet correct: now b has an additional surrounding binder, and 
we must prevent capture of free indices of b. Suppose b contains the index 
1, for example. We do not want the A of (Ac) to capture this index. Hence 
we must "lift" all the indices of b: 

(Ac){6/1, 1/2,2/3,...} = Ac{l/l,6{2/l,3/2,...}/2,2/3,...} 

This informal introduction to De Bruijn notation should suffice to give 
the flavor of things to come. 

2.2 An untyped calculus 

We shall study a simple set of algebraic operators that perform all these 
index manipulations — without . . .'s, even though we treat infinite substi- 
tutions that replace all indexes. If s represents the infinite substitution 
{ai/l,a 2 /2,a 3 /3, ...}, we write a[s) for a with the substitution s. A term 
of the form a[s] is called a closure. The change from { }'s to [ ]'s emphasizes 
that the substitution is no longer a meta-level operation. 

The syntax of the untyped Atr-calculus is: 

Terms a ::= 1 1 ab | Xa \ a[s] 

Substitutions s ::= id | 1 1 a • s | s o t 

This syntax corresponds to the index manipulations described in the 
previous section, as follows: 

• id is the identity substitution {1/1,2/2,...}, which we may write 
{i/i}. 
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• T (shift) is the substitution + l)/t'}; for example, l[t] = 2. We need 
only the index 1 in the syntax of terms; De Bruijn's n+1 is coded as 
l[T n ], where ] n is the composition of n shifts, | o . . .o |. Sometimes we 
write t° for id. 

• i[s] is the value of the De Bruijn index i in the substitution s, also 
informally written s(i) when s is viewed as a function. 

• a • s (the cons of a onto s) is the substitution {a/1, s(i)/(i + 1)}; for 
example, 

a -id = {a/1,1/2,2/3,...} 

and 

l-T = {l/l,T(l)/2,T(2)/3,...}= id 

• 3 o t (the composition of s and t) is the substitution such that 

a[s o t] = a[s][t] 

hence 

sot = {s(i)/i} o t = {s(i)[t]/i} 

and, for example, 

id o t = {id(i)[t]/i} = {t(i)/i} = t 
To(a-s) = {t(i)[a •*]/*} 

= {(» + l){a/l, 5 (i)/(i + l)}/»} = {«(*)/*} = « 

At this point, we have shown most of the algebraic properties of the sub- 
stitution operations. In addition, composition is associative and distributes 
over cons (that is, (a-s)ot = a[t] - (sot)). Moreover, the last example above 
indicates that | o s is the "rest" of s, without the first component of s; thus, 
l[s] ■ (| o s) = s. 

Using this new notation, we can write the Beta rule as 

(Aa)6 — >B e t a a[b • id] 
To complement this rule, we can write rules to evaluate 1, for instance 

l[c • s] — ► c 
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and rules to push substitution inwards, for instance 

(cd)[s\ -> (c[s])(d[s}) 

In particular, we can derive an intriguing law for the distribution of substi- 
tution over A: 

(Xc)[s) = (Xc){s(i)/i} 

= \c{l/l,s(i){(i+ + 1)} (by previous discussion) 

= Ac{l/l,s(i)[T]/(i+ 1)} (by definition of T) 

= Ac[l • {a(i)[T]/»}] (by definition of •) 

= Ac[l • (s o t)] (by definition of o) 

that is, 

(Xc)[s] - Ac[l • (s o T)] 

This last rule uses all the operators (except id), and suggests that this choice 
of operators is natural, perhaps inevitable. In fact, there are many possible 
variations, but we shall not discuss them here. 

Explicit substitutions complicate the structure of bindings somewhat. 
For example, consider the term 

(A(l[2- id]))[a- id] 

We may be tempted to think that 1 is bound by A, as it would be in a 
standard De Bruijn reading. However, the substitution [2 • id] intercepts the 
index, giving the value 2 to 1. Then, after crossing over A, the index 2 is 
renamed to 1 and receives the value a. One should keep these complica- 
tions in mind in examining Act formulas — for example, in deciding whether 
a formula is closed, in the usual sense. A precise definition of bindings is as 
follows. 

First, we associate statically (without reduction) a length with each sub- 
stitution. The length is actually a pair of two integers (m,n). For a substi- 
tution of the form a x • . . . ■ a m • (T o . . . o f), we have that m is the number of 
consed terms and n is the number of |'s. The full definition of the length is: 

| id | = (0,0) 

IT I = (0,1) 

I a • s | = (m + 1, n) where | s \ = (m, n) 

|so<| = (m + p-n,q) where | s \ = (m, n), | t \ = (p, q),p > n 

| so* | = (m,q + n-p) where | s \ = (m, n), 1 1 \ = (p, q), p < n 
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Then, in order to find where a variable n is bound in an expression, we 
go towards the root of the expression parse tree. We initialize a counter p 
to n. We decrement it when we cross a A. If it becomes 0, the A is the 
wanted binder. When we reach an a in a closure a[s], with | s | = (m a ,n s ), 
we compare p with m s . If p < m 3 , the variable is bound in 5. Otherwise, 
we continue upwards, setting the counter to p - m, + n s . 

2.3 A first-order calculus 

When we move to a typed calculus, we introduce types both in terms and 
in substitutions. For the typed first-order Acr-calculus, the syntax becomes: 

Types A ::= K \ A —> B 

Environments E ::= nil \ A, E 

Terms a ::= 1 1 ab | XA.a \ a[s] 

Substitutions s ::= id | 1 1 a:A ■ s | s o t 

The environments are used in the type inference rules, as is commonly 
done, to record the types of the free variables of terms. Naturally, in this 
setting, environments are indexed by De Bruijn indices. The environment 
nil associates type Ai with index i. For example, the typing 

axiom for 1 is: 

A,E h 1 : A 
and the typing rule for A abstraction is: 

A,E I- b:B 



E \- XA.b : A-+ B 



In the A<r-calculus, environments have a further function: they serve as 
the "types" of substitutions. We write s > E to say that the substitution s 
"has" the environment E. For example, the typing rule for cons is: 

Eha:A E h s > E' 
E h (a:A-s)> A,E' 

The main use of this new notion is in typing closures. Since s provides the 
context in which a should be understood, the approach is to compute the 
environment E' of 3, and then type a in that environment: 

E h s>E' E'\-a:A 
E h a[s] : A 
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An instance of this rule is: 

nil \~ a: A ■ id > A, nil A, nil I- 1 : A 
nil I- l[a:A ■ id] : A 

2.4 A second-order calculus 

When we move to a second-order system, new subtleties appear, because 
substitutions may contain types, and environments may contain place- 
holders for types; for example, 

(Boo/::Ty • id) > Ty, nil 

The typing rules become more complex because types may contain type 
variables, which must be looked up in the appropriate environments. (The 
problem arises in full generality with dependent types [14], and some readers 
may find it helpful to think about calculi of substitutions with dependent 
types.) In particular, the typing axiom for 1 shown above becomes the rule: 

E h A::Ty 
A,E h 1 : A[T] 

The extra shift is required because A is understood in the environment E 
in the hypothesis, while it is understood in A, E in the conclusion. An 
alternative (but heavy) solution would be to have separate index sets for 
ordinary term variables and for type variables, and to manipulate separate 
term and type environments as well. 

Another instance of this phenomenon is in the rule for A abstraction, 
which we have also seen above: 

A,E h b : B 
E \- XA.b :A-+B 

Notice that previously A must have been proved to be a type in the envi- 
ronment E, while B is understood in A, E in the assumption. Then A B 
is understood in E in the conclusion. This means that the indices of B are 
"one off" in A -> B. The rule for application takes this into account; a 
substitution is applied to B to "unshift" its indices: 

E h b : A -> B E \- a : A 
E h b(a) : B[a:A ■ id] 
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The B[a:A ■ id] part is reminiscent of the rule found in calculi for dependent 
types, and this is the correct technique for the version of such calculi with 
explicit substitutions. However, since here we do not deal with dependent 
types, B will never contain the index 1, and hence a will never be substituted 
in B. The substitution is still necessary to shift the other indices in B. 

The main difficulty in our second-order calculus arises in typing closures. 
The approach described for the first order, while still viable, is not sufficient. 
For example, if not is the usual negation on Bool, we certainly want to be 
able to type the term 

(Xl.not(l))[Bool ■ id] 
or, in a more familiar notation, 

Let X = Bool in Xx:X.not(x) 

(We interpret Let via a substitution, not via a A.) Our strategy for the 
first-order calculus was to type the substitution, obtaining an environment 
(X :: Ty) • id, and then type the term \x:X.not(x) in this environment. 
Unfortunately, to type this term, it does not suffice to know that X is a 
type; we must know that X is Bool. To solve this difficulty in the second- 
order system, we have rules to push a substitution inside a term and then 
type the result. As in calculi with dependent types, the tasks of deriving 
types and applying substitutions are inseparable. 

Finally, as discussed below, surprises arise in writing down the precise 
rules; for example the rule for typing conses has to be modified. Even the 
form of the judgement E \- s> E' must be reconsidered. 

Higher-order systems, possibly with dependent constructions, are also 
of theoretical and practical importance. We do not discuss them formally 
below, however, for we believe that the main complications arise already at 
the second order. 



3 The untyped AcT-calculus 

In this section we present the untyped Atr-calculus. We propose a basic set of 
equational axioms for the A<r-calculus in De Bruijn notation. The equations 
induce a rewriting system; this rewriting system suffices for the purposes of 
computation. We show that the rewriting system is confluent, and thus pro- 
vides a convenient theoretical basis for more deterministic implementations 
of the A<r-calculus. 
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We also consider some variants of the axiom system. Restrictions bring 
us closer to implementations, as they make evaluation more deterministic. 
An extension of the system is suggested by Knuth-Bendix computations. 
Finally, we discuss a Aa-calculus using variable names. 

As in the classical A-calculus, actual implementations would resort to 
particular rewriting strategies. We discuss a normal-order strategy for Act 
evaluation. Then we focus on a more specialized reduction system, still 
based on normal order, which provides a suitable basis for abstract \a ma- 
chines. We describe one machine, which extends Krivine's weak reduction 
machine [13] with strong reduction. 

In her study of categorical combinators, Hardin proposed systems similar 
to ours [8]. In particular, Hardin's system € + (Beta) is the homomorphic 
image of our basic system. We rely on some of her techniques to prove our 
results, and not surprisingly we find confluence properties similar, but not 
equivalent, to those she found. (We come back to this point below.) 

The main difference between the approaches is that in Hardin's work 
there is a unique sort for terms and substitutions. The distinction between 
terms and substitutions is central in our work. This distinction is important 
to a simple understanding of confluence properties and to the practicality 
of the A<7-calculus. 

Simultaneously with our work, Field developed a system almost identical 
to our basic system, too, and claimed some of the same results [7]. Thus, 
we share a starting point. However, Field's paper is an investigation of 
optimality properties of reduction schemes, so for example Field went on 
to consider a labelled calculus. In contrast, we are more concerned with 
questions of confluence and with typechecking issues. 

3.1 The basic rewriting system 

The syntax of the untyped Acr-calculus is the one given in the informal 
overview, 

Terms a ::= 1 1 ab \ Xa \ a[s] 

Substitutions s ::= id | T | a ■ s \ s o t 

Notice that we have not included metavariables over the sorts of terms and 
substitutions— we consider only closed terms, and this suffices for our pur- 
poses. (In De Bruijn notation, the variables 1,2,... are constants rather 
than metavariables.) 

In this notation, we now define an equational theory for the A<x-calculus, 
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by proposing a set of equations as axioms. When they are all oriented 
from left to right, the equations become rewrite rules and give rise to a 
rewriting system. The equations fall into two subsets: a singleton Beta, 
which is the equivalent of the classical /3 rule, and ten rules for manipulating 
substitutions, which we call a collectively. 

Beta (Xa)b = a[b ■ id] 

Varld l[id] = 1 

VarCons l[a ■ s] = a 

App (ab)[s] = (a[s])(b[s}) 

Abs (Aa)[s] = A(a[l-( 5 ot)]) 

Clos a[s][t] = a[s o t] 



IdL id o s = s 

Shiftld t ° id - \ 

ShiftCons | o (a • s) — s 

Map (a • s) o t = a[t] - (sot) 

Ass (s\ o s 2 ) o «3 = Si o (s 2 o S3) 

As usual, the equational theory follows from these axioms together with 
the inference rules for replacing equals for equals. 

Our choice of presentation is guided by the structure of terms and substi- 
tutions. The Beta rule eliminates A's and creates substitutions; the function 
of the other rules is to eliminate substitutions. Two rules deal with the eval- 
uation of 1. The next three deal with pushing substitutions inwards. The 
remaining five express substitution computations. We prove below that the 
substitution rules always produce unique normal forms; we denote the cr 
normal form of a by o(a). 

The classical (3 rule is not directly included, but it can be simulated, 
as we now argue. The precise definition of 0 reduction, in the style of De 
Bruijn [2], is as follows: 

(Aa)6 -» /3 a{6/l,l/2,...n/n+l,...} 
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where the meta-level substitution {. . .} is defined inductively by using the 
rules: 

n{a!/l,...,a n /n, ...} = a n 

a{a l ll,...,a n lii,...} = a' 6{ai/l, . . .,a w /n, . . .} = b' 
(ai){ai/l,...,a n /n,...} = a'b' 

aj{2/l,...,n+l/n,...} = < a{l/l, oj/2, . ■ ■ , a^/h+l, • ■ •} = a' 
(Aa){ai/1, . . . , a n /n, . . .} = Aa' 

If ai, . . . , a n , . . . is a sequence of consecutive integers after some point (the 
only useful case), then the meta-level substitution {ai/l, . . .,a n /n, . . .} cor- 
responds closely to an explicit substitution: 

Proposition 3.1 // there exist m and p such that a m+q = p+q for allq>\, 
and a{ai/l, . . .,a n /n, . . .} = b is provable in the formal system presented 
above, then cr(a[ai ■ a 2 • . . . ■ a m • f p ]) = b. 

Proof The argument is by induction on the length of the proof of 
a{ai/l, . . .,a n /n, . . .} = b; we strengthen the claim, and argue that all in- 
termediate terms in the proof satisfy the hypothesis. We omit the easy 
application case. 

Casen{a x /l,...,a n /n, ...} = a„: If n < m, then n[ai-a 2 -. . .-a m -T p ] -+o 
a n ; if n > m, then n[a x • o 2 • . . . • a m ■ ] p ] n - m + p. But by hypothesis 
a n = a n _ m + TO = n - m + p. 

Case (Aa){cti/1, . . . , a n /n, . . .} = Aa': By induction on the a.'s (choosing 
m and p to be 0 and 1), we get by induction a(a,-[T]) = a\. This allows us 
to apply induction on a for m + 1 and p + 1: 

o{a[l-a\-...-a' m -V+ l ]) = a' 

On the other hand our desired conclusion reduces to showing 

<;(a[l.((o r ...-a m -f)ot)]) = a' 

which holds since 

( ai -...-a m -t p )oT^ ai [T]-...-a m [T]-T p+1 

□ 

Therefore, the simulation of the 0 rule consists in first applying Beta 
and then a until a a normal form is reached. 
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As usual, we want a confluence theorem for the calculus. This theorem 
will guarantee that all rewrite sequences yield identical results, and thus 
that the strategies used by different implementations are equivalent: 

Theorem 3.2 Beta + a is confluent. 

The proof does not rely on standard rewriting techniques, as Beta + a 
does not pass the Knuth-Bendix test (but a does). We come back to this 
subtle point below. 

Instead, the proof relies on the termination and confluence of <r, the con- 
fluence of the classical A-calculus, and Hardin's interpretation technique [8]. 

First we show that a is noetherian (that is, a reductions always termi- 
nate) and confluent. 

Proposition 3.3 a is noetherian and confluent. 

Proof We have an indirect proof of noetherianity, as follows. The Act- 
calculus translates into categorical combinators [6], by merging the two sorts 
of terms and substitutions and collapsing the operations [ ] and o into one. 
Under this translation, a one-step rewriting in a is mapped to a one-step 
rewriting of a system SUBST of categorical rewriting rules (the exact trans- 
lation of the largest variant considered in 3.2). Hardin and Laville have 
established the termination of SUBST [9]. 

Noetherianity simplifies the proof of confluence. By a well-known lemma, 
local confluence suffices [11]; it can be checked by examining critical pairs, 
according to the Knuth-Bendix test. For example, for the critical pair 

(l[i'<i])[s] — l[s] and -+ l[Wos] 

local confluence is ensured through the IdL rule. □ 

Since a is noetherian, let us examine the form of a normal forms. A 
substitution in normal form is necessarily in the form 

a x • (a 2 • (. . .(a m ■[/).. .)) 

where U is either id or a composition | 0 (• • • (t 0 T) • • •)• A term in normal 
form is entirely free of substitutions, except in subterms such as l[T n ], which 
codes the De Bruijn index n+1. Thus, a term in normal form is a classical 
A-calculus term (modulo the equivalence of l[| n ] and n+l). 
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In summary, the syntax of a normal forms is: 

Terms a ::= 1 | l[T n ] \ab\Xa 

Substitutions s ::= id | | n | a ■ s 

After these remarks on er, we can apply Hardin's interpretation technique 
to show that the full A<r system is confluent. 

First, we review Hardin's method. Let X be a set equipped with two 
relations R and S. Suppose that R is noetherian and confluent, and denote 
by R(x) the R normal form of x; that Sr is a relation included in (R U S)* 
on the set of R normal forms; and that, for any x and y in X , if S(x, y) then 
S R (R(x), R(y)). An easy diagram chase yields that if Sr is confluent then 
so is (RuS)*. 

In our case, we take R to be the relation induced by the a rules; that is, 
R(x, y) holds if x reduces to y with the a rules. We take Sr to be classical 
(3 conversion; that is, SR(x,y) holds if y is obtained from x by replacing a 
subterm of the form (\a)b with a{a[b • id]). 

Thus the proof of confluence reduces to the two following lemmas: 

Lemma 3.4 P is confluent on a normal forms. 

Proof Notice that, on terms, /? reduction is the original f3 reduction, by 
Proposition 3.1. As for substitutions, since only normal forms are involved, 
the (3 reductions are independent f3 reductions on the components of the 
substitutions. □ 

Lemma 3.5 

1. If a -+Beta b then cr(a) a(b). 

2. If s^Beta t then a(s) a(t). 

Proof We proceed by induction on the structure of a and s, together. 

If a is an application aia 2 and if the Beta redex is in a\ or a 2 , then 
the result follows easily from the induction hypothesis, since a(a\a 2 ) = 
o~{a\)o(a2). We proceed likewise if a is an abstraction \a\. 

If the Beta redex is a = (Xai)a 2 , then b = a x [a 2 ■ id], and then a(a) - 
(A(T(a 1 ))cr(a2) By definition of /?, we have 

o(a) -+p a(a{ai)[a{a 2 ) ■ id]) 

that is, 

a(a) ->p a{b) 
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The last case for terms is o = ai[s x ]. Since a(ai[«i]) = a(<r(ai)[a(si)]), 
the induction hypothesis reduces our problem to the familiar substitution 
lemma. De Bruijn proved the following substitution lemma: 



If a ->p a' then a{ai,a 2 ,...} -> 0 a'{a x , a 2 , . . .}. If a, ->p a' { then 
a{a 1 , . . . , a,_ x , a,, a, +1 , . . .} -+* & a{a t ,. . . , a,_ x , a-, a,+i, . . .}. 

By Proposition 3.1, this lemma reads, in our notation, 

Suppose a and s are in a normal form. If a —*p a', then 
cr{a[s\) ^ 0 a{a'[s\). If s -> p s', then <r(a[s]) <r(a[s']). 

Thus the lemma settles this case. 

The cases for f3 reductions in substitutions are analogous to those for 
terms. The case of a x • s x is identical to the one for Aa x . The case of s\ o s 2 
is similar to the one for a^si]. It suffices to consider the normal forms of si 
and s 2 for reducing our problem to the substitution lemma, once more. □ 

3.2 Variants 

Some subsystems of a are reasonable first steps to deterministic evaluation 
algorithms. We can restrict a in three different ways. The rule Clos can be 
removed. The inference rule 

s = s' t = t' 
s o t = s' 0 t' 

can be removed, and the inference rule for the closure operator can be re- 
stricted to 

s = s' 
l[ S ] = l[s>] 

These restrictions (even cumulated) do not prevent us from obtaining a nor- 
mal forms and confluence. A general result enables us to derive confluence 
for these subsystems: 

Lemma 3.6 // S is a subrelation of a noetherian and confluent relation 
R, and if S normal forms are R normal forms, then S is also confluent. 
Moreover, the smallest equivalence relations containing R and S coincide. 

Proof If S*(a, b) and S*(a, c) then b and c have the same R normal form d, 
since SCR. However, an S normal form of b (or c) is also an R normal form 
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of b, and thus coincides with d. An almost identical argument establishes 
the second claim. □ 

Here we take R and S to be the relations induced by a and by ct's 
restriction, respectively. Thus, we easily obtain that the restricted substitu- 
tion rules are noetherian and confluent, and we can apply the interpretation 
technique, through exactly the same steps as before. (In fact, the lemmas 
proved above apply directly, with no modification.) 

Confluence properties suggest a second kind of variant. Although Beta + 
a is confluent, when we view it as a standard rewriting system on first-order 
terms it is not even locally confluent. The subtle point is that we have proved 
confluence on closed Act terms, that is, on terms exclusively constructed 
from the operators of the ACT-calculus. In contrast, checking critical pairs 
involves considering open terms over this signature, with metavariables (that 
is, variables x and u ranging over terms and substitutions, different from De 
Bruijn indexes 1,2,.. .). 

Consider, for example, the critical pair: 

((Xa)b)[u) ->* a[b[u]-u] 
((Xa)b)[u] -* a[b[u] • (u o id)} 

For local confluence, we would want the equation (s o id) = s, but this 
equation is not a theorem of a. Similar critical pair considerations suggest 
the addition of four new rules: 

Id a[id] = a 

IdR so id = s 

VarShift 1 • T = id 

SCons l[s] ■ (T o s) = s 

These additional rules are well justified from a theoretical point of view. 
However, confluence on closed terms can be established without them, and 
they are not computationally significant. Moreover, some of them are ad- 
missible (that is, every closed instance is provable). More precisely Id and 
IdR are admissible in cr, and SCons is admissible in ct + VarShift. 

We should particularly draw attention to the last rule, SCons. It ex- 
presses that a substitution is equal to its first element appended in front 
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of the rest. This rule is reminiscent of the surjective-pairing rule, which 
deserved much attention in the classical A-calculus. Klop has shown that 
surjective pairing destroys confluence for the A-calculus [12]. 

Similarly, we conjecture that the system a + Id + IdR + VarShift + 
SCons is not confluent when we have metavariables for both terms and sub- 
stitutions, although it is locally confluent. The following term, inspired by 
Klop's counterexample [12], seems to work as a counterexample to conflu- 
ence: 

F(Y(AAx[l[uo (1 • id)) • (T o (u o ((21) • id)))])) 

where Y is a fixpoint combinator, x is a term metavariable, and u is a 
substitution metavariable. Some work has to be done to check the details. 
Let us just recall the informal argument. Call b = Y{c) the term above. It 
reduces to both x[u o ((c&) • id)} and c(x[u o ((c6) • id)]). To get a common 
reduct of these two terms, we need to apply SCons at some stage, and 
this requires finding a common reduct of the very same terms. Klop uses 
standardization to turn this informal circularity argument into a reductio 
ad absurdum, starting with a minimal length standard reduction to such a 
common reduct. 

The reader may wonder what thwarts the techniques used in the last 
subsection. The point is that in Lemma 3.5, our reduction to the classical 
substitution lemma depended crucially on the syntax of substitutions in nor- 
mal form, which is not so simple any more. (The syntax allows in particular 
expressions of the form u o (1 • id), as in the suggested counterexample.) 

We can go half way in adding metavariables. If we add only term 
metavariables, the syntax of substitution a normal forms is unchanged. This 
protects us from the claimed counterexample. There are two additional cases 
for term a normal forms, the cases for metavariables: 

Terms a ::= 1 1 l[t n ] \ab\Xa\x\ x[s] 

We believe that confluence can be proved in this case by the interpre- 
tation technique. Confluence on normal forms would be obtained through 
an encoding of the normal forms in the A-calculus extended with constants, 
which is known to be confluent (x becomes a constant; x[s] becomes a con- 
stant applied to the elements of s). 

Hardin's results on confluence bear some similarity with ours. In [8], 
Hardin has shown that various systems are confluent on a set V of closed 
terms, which includes the representation of all the usual A expressions; she 
found problems with confluence for non-closed terms, too. However, her 
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difficulties and ours differ somewhat, and in particular the counterexamples 
to confluence differ. 

Recently, Hardin and Levy have succeeded in obtaining confluence with 
metavariables for both terms and substitutions, by slightly changing the 
syntax and the set of equations. Their results are reported in [10]. 

3.3 The Ac-calculus with names 

Let us discuss a more traditional formulation of the calculus, with variable 
names x,y,z, . . . , as a small digression. Two ways seem viable. 
In one approach, we consider the following syntax: 

Terms a ::= x \ ab \ Xx.a \ a[s] 

Substitutions s ::= id \ (a/x) • s \ s o t 

The corresponding theory includes equations such as: 

Beta (Xx.a)b = a[(b/x) ■ id] 

Varl x[(a/x) • s] = a 

Var2 x[(a/y) ■ s] = x[s] (x ^ y) 

Var3 x[id] - x 

App (ab)[s] = (a[s})(b[s}) 

Abs (\x.a)[s) = \y.(a[(y/x) ■ s\) (y occurs in neither a nor s) 

The rules correspond closely to the basic ones presented in De Bruijn nota- 
tion. The Abs rule does not require a shift operator, but involves a condition 
on variable occurrences. (The side condition could be weakened, from y not 
occurring at all in a and s, to y not occurring free, in a precise technical 
sense that we do not define here.) The consideration of the critical pairs 
generated by the previous rules immediately suggests new rules, such as: 

OccT a[(b/x)-t] = a[t] (x does not occur in a) 

OccS s o ((a/x) ■ t) = (a/x) - (sot) (x does not occur in s) 

Comm (a/x)-((b/y)-s) = (b/y)-((a/x)-s) (x ? y) 

Alpha Xx.a = Xy.(a[(y/x) ■ id]) (y does not occur in a) 
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This is an unpleasant set of rules. The Comm rule destroys the existence of 
substitution normal forms and the Alpha rule expresses renaming of bound 
variables. Intuitively, we may take this as a hint that this calculus with 
names does not really enjoy nice confluence features. In this respect, the 
calculus in De Bruijn notation seems preferable. 

There is an alternative solution, with the shift operator. The syntax is 
now: 

Terms a ::= x \ ab \ Xx.a \ a[s] 

Substitutions s ::= id\j\ (a/x) ■ s | s o t 

In this notation, intuitively, refers to x after the first binder. The 
equations are the ones of the Aa-calculus in De Bruijn notation except for: 

Beta (Xx.a)b = a[{b/x) ■ id] 

Varl x[(a/x) • s] = a 

Var2 x[(a/y) ■ s) = x[s] (x / y) 

Var3 x[id] = x 

Abs (Xx.a)[s] = \x.(a[(x/x) ■ (s o |)]) 

This framework may be useful for showing the differences between dynamic 
and lexical scopes in programming languages. The rules here correspond 
to lexical binding, but dynamic binding is obtained by erasing the shift 
operator in rule Abs. 

3.4 A normal-order strategy 

As usual, we want a complete rewriting strategy — a deterministic method 
for finding a normal form whenever one exists. Here we study normal- 
order strategies, that is, the leftmost-outermost redex is chosen at each 
step. Completeness is established via the completeness of the normal-order 
strategy for the A-calculus. 

The normal-order algorithm naturally decomposes into two parts: a rou- 
tine for obtaining weak head normal forms, and recursive calls on this rou- 
tine. In our setting, weak head normal forms are defined as follows: 

Definition 3.7 A weak head normal form (whnf for short) is a Xa term of 
the form Xa or nai • • -a m . 
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As a starting point, we take the classical definition of (one step) weak 
normal-order (3 reduction in the A-calculus: 



(\a)b a(a[b • id]) 

a a 
ab —>p a'b 

There are several possibilities for implementing recursive calls, in order to 
obtain full normal forms; the simplest one consists in adding two rules: 

a, a \ (aj in normal form for j < i) 

n i 

na\ ... a t - ... a m -+p nai . . . a • . . . a m 

n i 

a —*p a 
Xa Xa' 

We do not include these rules, and from now on focus on weak head normal 
forms— though it is routine to extend the results below to normal forms. 
The analogous reduction mechanism for the Acr-calculus is: 

(Xa)b A a[b • id] 

n , 

a — ► a 
ab —> a'b 

l[id] i 1 
l[a • s] ^* a 

l[s] A 1[a >) 
(ab)[s] A (a[s])(b[s]) 
(Xa)[s] A A(a[l • (5 o |)]) 
a[s][t] A a[s o t] 

id 0 s — ► s 
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T o id A f 

t o (a • 5) A 5 

n . 
5 — ► 5' 

I o s | o s' 
(a-j)ot-i a[<] • (5 o t) 
(s 0 «') o/A S o (s 1 o a") 
Clearly, and A are closely related: 

Proposition 3.8 // a A b then either a (a) a{b) or a(a) and a(b) are 
identical. The ^* reduction of a terminates (with a weak head normal form) 
iff the -+0 reduction of o~{a) terminates. 

Proof As for the first part, let a A 6. If the underlying redex is a 
a redex, then obviously a(a) = a(b). If the underlying redex is a Beta 
redex, then a is of the form (Xai)a 2 . . . a n , and from a((Xai)a 2 . . . a n ) = 
(Aa(a 1 ))(T(a2) • • -CT(a n ) w « can derive a{a) 

As for the second part, notice that a —> reduction stops exactly when a 
weak head normal form is reached. Thus, for the "if" part of the claim, it 
suffices to check that the A reduction of a terminates. We define as the 
reflexive closure of -^g. Let 



be a A reduction sequence. Then 

<t(o) <7(ai) . . . a{a k ) -+ 0 ... 

is a ^ reduction sequence, which cannot have infinitely many consecutive 
reflexive steps because these reflexive steps correspond to a reductions. 

Conversely, suppose that b is a weak head normal form, then cr(6) is a 
weak head normal form. □ 

Corollary 3.9 A is a complete strategy. 
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Proof This follows from the completeness of the strategy. (See [1] for 
a proof in the classical notation.) □ 

With the same approach, we can also define a system which incor- 
porates some slight optimizations (present also in our abstract machine, 
below). In ^5, the rule 

((\a)[a])b™ a[b-a] 

replaces the rules 

(Aa)6 A a[b • id] 
(Xa)[s] ^ X(a[l ■ (s o ])]) 
The new rule is an optimization justified by the a -f IdR reduction steps 

{{\a)[s))b - (A(a[l.( S oT)]))6-a[l.(aoT)][6-id] 
-* a[(l • (s o t)) o (b ■ id)] -** a[b • s] 

which is not allowed in A. 

Both and ^? are weak in the sense that they do not reduce under A's. 
In addition, ^? is also weak in the sense that substitutions are not pushed 
under A's. In this respect, ™ models environment machines, while — ► is 
closer to combinator reduction machines. 

We do not exactly obtain weak head normal forms — in particular, — ► 
does not reduce even (Ali)(All) or (l[(All) • id])(All). This motivates 
a syntactic restriction which entails no loss of generality: we start with 
closures, and all conses have the form a[s] • t. Under this restriction, we 
cannot start with (All)(All), but instead have to write ((All)(All))[id], 
which has the expected, nonterminating behavior. The correctness of — ► 
with respect to normal-order weak head normal form reduction in the A- 
calculus can now be proved as in Proposition 3.8. 

Proposition 3.10 Ifa^b then either cr(a) a(b) or a (a) and a(b) are 
identical. The ™ reduction terminates (with a term of the form (Aa)[s] or 
nai . . .a m ) iff the reduction of o(a) terminates. 

Proof The proof goes exactly as in Proposition 3.8. The only slight diffi- 
culty is in establishing that the ^ reduction terminates exactly on the terms 
of the form indicated in the statement. The following invariant of the -+ 
reduction is useful: 

For each term 6 in the ^ reduction sequence starting from a[s], 
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1. 6 is a term of the restricted syntax, that is, all subexpressions b" in 
contexts b" • s" are closures; 

2. the first node on the spine of b (the leftmost branch of the tree rep- 
resentation of b) that is not an application can only be a closure b'[s] 
or 1, and all the right arguments of the application nodes above are 
closures. 

We first prove this invariant. We show that if the properties stated hold for 
b and b ^ c then they hold for c. Notice that the properties are proved 
together. If the node mentioned in the claim is 1, then the ^ reduction is 
terminated. If it is a closure b'[s], the proof goes by cases on the structure 
of b', and if b' is 1 by cases on the structure of s. We detail only two crucial 
cases, one for each part of the claim. When b'[s] has the form (Xa')[s] 
and is not the root of 6, then its immediate context in b has the form 
((Xa')[s])(a"[s"]) (by induction hypothesis), and becomes a'[a"[s")-s\. When 
b'[s] has the form l[a'[s'] ■ t], then c is b where b'[s] is replaced with a'[s'], 
another closure. (The restriction on the syntax is crucial here.) 

Now we derive the claim about ^ normal forms. Suppose that b and 
b'[s] are as in the statement of the invariant, and that moreover b is not 
reducible by ™. An easy checking of the rules allows us to exclude the 
possibility that b' be an application or a closure. It can be 1 only if s' is not 
further reducible and is not a cons, which forces s' to have the form } k . 
Finally, b' can be an abstraction only if b = b'[s]. □ 

3.5 Towards an implementation 

As a further refinement towards an implementation, we adapt to ma- 
nipulate only expressions of the forms a[t] and sot. The substitution t 
corresponds to the "global environment," whereas substitutions deeper in a 
or s correspond to "local declarations." In defining our machine, we take 
the view that the linear representation of a can be read as a sequence of 
machine instructions acting on the graph representation of t. 

In this approach, some of the original rules are no longer acceptable, 
since they do not yield expressions of the desired forms. For example, the 
reduct of the App rule, (a[s])(&[.s]), is not a closure. In order to reduce 
(ab)[s], we have to reduce a[s] to a weak head normal form first. In the 
machine discussed below, we use a stack for storing b[s]. 

The following reducer whnfQ embodies these modifications to The 
reducer takes a pair of arguments, the term a and the substitution s of a 
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closure, and returns another pair, of the form (nai • • • a m , id) or (Aa', s'). To 
compute whnfQ, the following axioms and rules should be applied, in the 
order of their listing. We proceed by cases on the structure of a, and when 
a is n by cases on the structure of s, and when s is a composition t o t' by 
cases on the structure of t. 

whnf(Xa,s) = (Aa,s) 

whnf(a,s) = (\a',s') 
whnf(ab, s) = whnf(a', b[s] • s') 

whnf(a, s) = (a', id) (a' not an abstraction) 
whnf(ab,s) — (a'(b[s]), id) 

whnf(Ti, id) = (n, id) 

whnf (n, T) = (n+1, id) 

whnf(l, a[s] • t) = whnf (a, s) 

whnf a - s) = whnf '(n, s) 

whnf (ji, so s') = whnf(n[s], s') 

whnf(n[id], s) = whnf(n,s) 

u;/m/(n[T], s) = whnf(n+i,s) 

whnf(l[a • s],s') = whnf (a, s') 

whnf(n*][a ■ s],s') = w/m/(n[s], s') 

whnf(n[s o s'\, s") = whnf(n[s], s' o s") 

whnf(a[s],s') = whnf (a, so s') 

A simple extension of these rules yields full normal forms: 

whnf (a, s) = (\a',t) 
nf(a,s) = \(nf(a',l-(to1))) 

whnf '(a, s) -- (n(ai[.Si]) . ..(a m [sm]), id) 
nf(a,s) = n(n/(ai,5i)) . . .(n/(a m , s m )) 

The precise soundness property of whnfQ is: 

Proposition 3.11 The equation whnf (a, s) = (a',s') is provable if and only 
if o(a'[s'}) is the weak head normal form of a{a[s}). 
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Proof It is routine to check the correctness of whnfQ with respect to ^2. 
Specifically, whnf(n, s) = (a', s') is provable iff a'[s'] is the ^ normal form 
of l[(t o (. . .(t o s) . . .))] (with n - 1 t's); whnf (xi[t], s) = (a',s') is provable 
iff a'[s'] is the ^? normal form of l[(f o (. . .(| o (t o s)) . . .))] (with n - 1 t's); 
in all other cases, whnf(a, s) = (a', s') is provable iff a'[s'] is the ^ normal 
form of a[s]. □ 

The last step we consider is the derivation of a transition machine from 
the rules for whnf(). One basic idea is to implement the recursive call on 
a[s] during the evaluation of (a6)[s] by using a stack to store the argument 
b[s]. Thus, the stack contains closures. 

The following table represents an extension of Krivine's abstract ma- 
chine [13, 5]. The first column represents the "current state," the second 
one represents the "next state." Each line has to be read as a transition 
from a triplet (Subst, Term, Stack) to a triplet of the same nature. To 
evaluate a program a in the global environment s, the machine is started in 
state (s,a,( )), where ( ) is the empty stack. The machine repeatedly uses 
the first applicable rule. The machine stops when no transition is applicable 

any more. These termination states have one of the forms (id, n, ai a m ) 

and (s, Aa, ( )), which represent nai • • • a m and (Aa)[,s], respectively. 



Subst 


Term 


Stack 


Subst 


Term 


Stack 


T 


n 


S 


id 


n+1 


S 


a[s] • t 


1 


S 


s 


a 


S 


a • s 


n+1 


S 


s 


n 


S 


s o s' 


n 


s 


s' 


n[s) 


S 


s 


ab 


s 


s 


a 


b[s] • S 


s 


Aa 


b[t] ■ S 


b[t] ■ s 


a 


S 


s 


n[id] 


S 


3 


n 


s 


s 


n[T] 


S 


S 


n+1 


s 


3' 


l[a • s] 


S 


s' 


a 


s 


s' 


n+l[a • s] 


S 


s' 


n[a] 


s 


s" 


n[s o s'] 


S 


s' o s" 


n[ S ) 


s 


s' 


a[s] 


S 


s o s' 


a 


s 



The machine can be restarted when it stops, and then we have a full 
normal form A reducer. Specifically, when the machine terminates with the 
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triplet (s, Xa, ( )), we restart it in the initial state (1 • (50 1), a, ( )), and when 
the machine terminates with the triplet (id,n, aijsi] • . . . • a n [s n ] ■ ( )), we 
restart n copies of the machine in the states (si, a\, ()),... , (s n , a n , ( )). 

The correctness of the machine can be stated as follows (we omit the 
simple proof). 

Proposition 3.12 Starting in the state (s,a,( )), the machine terminates 
in (id,n,ai • . . . • a m ) iff whnf(a,s) = (na x . . .a m , id), and terminates in 
(s, Xa, ( )) iff whnf(a, s) — (Xa, s). 

By now, we are far away from the wildly nondeterministic basic rewriting 
system of Section 3.1. However, through the derivations, we have managed 
to keep some understanding of the successive refinements and to guarantee 
their correctness. This has been possible because the Acr-calculus is more 
concrete than the A-calculus, and hence an easier starting point. 

4 First-order theories 

In the previous section, we have seen how to derive a machine that can be 
used as a sensible implementation of the untyped Acr-calculus, and in turn 
of the untyped A-calculus. Different implementation issues arise in typed 
systems. For typed calculi, we need not just an execution machine, but 
also a typechecker. As will become apparent when we discuss second-order 
systems, explicit substitutions can also help in deriving typecheckers. Thus, 
we want a typechecker for the Acr-calculus. 

At the first order, the typechecker does not present much difficulty. In 
addition to the usual rules for a classical system LI, we must handle the 
typechecking of substitutions. Inspection of the rules of LI shows that this 
can be done easily, since the rules are deterministic. 

In this section we describe the first-order typed Acr-calculus. We prove 
that it preserves types under reductions, and that it is sound with respect to 
the A-calculus. We move on to the second-order calculus in the next section. 

We start by recalling the syntax and the type rules of the first-order 
A-calculus with De Bruijn's notation. 

Types A ::= K \ A - B 

Environments E ::= nil \ A, E 
Terms a ::= n | XA.a \ ab 
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Definition 4.1 (Theory Ll) 

(Ll-var) A,E h 1 : A 



, T1 , E h n: B 

(Ll-varn) — - — — 

v ' A,E h n+1: B 



(Ll-lambda) - *'? t h * :B 
v ' E V XA.b :A->B 



, T1 v E \- b:A^ B E\-a:A 
(Ll-app) - 



We do not include the /3 rule, because we now focus on typechecking — rather 
than on evaluation. 

The first-order Aa-calculus has the following syntax: 

A ::= K\A-*B 



Types A 

Environments E 

Terms a : 

Substitutions s : 



::= nil\A,E 
:= l\ab\ XA.a | a[s] 
:= id 1 1 1 a: A • s | s o t 

The type rules come in two groups, one for giving types to terms, and one 
for giving environments to substitutions. The two groups interact through 
the rule for closures. 

Definition 4.2 (Theory SI) 

(Sl-var) A,E h 1 : A 



(Sl-lambda) 

(Sl-app) 

(Sl-clos) 



A,E h b.B 
E h XA.b : A -* B 

E \- b: A-* B EY-a:A 
E h ba .B 

E h s> E' E'\-a:A 
E h a[s] : A 
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(Sl-id) 



E \- id>E 



(Sl-shift) A,E 1- \>E 

E\-a:A E h s> E' 



(Sl-cons) 
(Sl-comp) 



E h a:A-s>A,E' 

E h s">E" E" \~ s'>E' 
E \- s'os">E' 



In SI, we include neither the Beta axiom nor the a axioms. 

Clearly, typechecking is decidable in Si. Furthermore, the fact that we 
can separate typing of terms from typing of substitutions is quite pleasant; 
as we have seen, this property does not extend to the second order. 

We proceed to show that SI is sound. As a preliminary, we prove two 
lemmas. The first lemma relies on the notion of a normal form, which was 
defined in the previous section. We use a modified version of the a rules, in 
order to deal with typed terms; four of the rules change. 

VarCons l[a:A • s] = a 

Abs (XA.a)[s] = XA.{a[l:A ■ (s o ])}) 

ShiftCons | o (a:A ■ s) = s 

Map (a:A ■ s) o t = a[t]:A ■ (s o t) 

The typed version of a enjoys the properties of the untyped version. 
A term in a normal form is typeable in Si iff it is typeable in LI: 

Lemma 4.3 (Same theory on normal forms) Let a be in a normal 
form. Then E h?i a: A iff E \xi a: A. 

Proof The argument is an easy induction on the length of proofs. The 
only delicate case is the one that deals with the rules Ll-varn and Sl-clos. 

First, we assume that A, E hi n+1 : B, and show that A, E h S i n+1 : B. 
Since A, E \n n+1 : B, it must be that E hxi n : B. By induction 
hypothesis, E V S \ n : B. Unless n is 1 (a trivial case), the last rulejn the 
SI proof could only be Sl-clos, and then it must be that E \~ S \ T n_1 > E ' 
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and £' h 51 1 : B for some £'. In fact, it must be that E hsi T" _1 > B, E" 
and B,E" h sa 1 : B for some E". Then Sl-shift and Sl-comp yield 
A,E h 5l |" > B, £", and Sl-clos yields A,E h 5l l[t n ] : B, the desired 
result. 

For the converse, we assume that E n+1 : B, in order to show that 
E hxi n+1 : B. Since £ h S i n+1 : B, it must be that E h S i p > E' and 
£' hsi 1 : B for some £' (unless n is 1, a trivial case). Further analysis 
shows that E must be of the form C, E" and that E" h 51 T" -1 : B, E 0 , and 
hence E" h 5 i n : B. The proof of this last theorem is shorter than the proof 
of E h 5l n+1 : B. By induction hypothesis, it follows that E" hxi n : B, 
and then C, E" n+1 : 5, that is, E rxi n+1 : 5. □ 

Let — ►o- denote one-step reduction with the a rules; a reductions preserve 
typings in SI. 

Lemma 4.4 (Subject reduction) // a -> a a' and E \~si a : A, then 
E h 51 a': A. Similarly, if s s' and E' r$i s > E" , then E' ^ s'>E". 

Proof We inspect the a rules one by one; we abbreviate 1-5! as I- . 

Var: Let l[b:B ■ s] b. Suppose E h l[b:B ■ s] : A. By Sl-clos, 
E h- b:B ■ s > El and El I- l:A, for some El. Furthermore, by 
Sl-cons, E h b:B-s>B,E2, with El = B,E2, with £ h 6:5, and 
with £ I- s>E2. By Sl-var, £,£2 h 1:A implies B = A, and thus 
£ h 6:4. 

4p/>: Let ba[s] -* a {b[s\)(a[s\) . Suppose (ba)[s] : B. By Sl-clos, E h s>£l 
and £1 h 4o : B, and hence £1 h b : A -+ B and £1 h a : 4. By 
Sl-clos, moreover, £ h 6[s] : A -> B and £ h a[s] : A. Therefore, 
E h (6[3])(aW) : 5. 

46s: Let (A/1.6)[s] A4.(6[l : 4 • (5 o ])}). Suppose (\A.b)[s) : C. By 
Sl-clos, E h s>El and £1 h AA.6 : C. By Sl-lambda, C = A -* B 
and A, El h 6:5. Now, we apply Sl-shift and Sl-comp to obtain 
A,E h t > E. and then A, E h sof>£l. Since 4, E (- 1:A 
by Sl-var, Sl-cons gives us A, E H 1:A • s o ] > A, El. Finally, since 
A, El h 6 : B, Sl-clos yields A, E \- b[l:A ■ s o |] : 5, and therefore, 
A4.(6[l:4 • (s o !)]) : A -> 5 by Sl-lambda. 

CYos: Let (6[s])[<] ^ 6[soi]. Suppose E h (6[s])[«] : B. Then £ h *>£1 
and El h 6[s] : B, that is, £1 I- s > E2 and £2 H 6 : J9. Sl-comp 
tells us £ I- sot>E2, and then £ h 6[s 0 : B by Sl-clos. 
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IdL: Let id o 5 s. Suppose E h id o s > E'. Then E h s t> E" and 
£" h id>£:', bySl-comp, and £" = £' by Sl-id. Finally, £ H s>E'. 

ShiftCons: Let | o (a: A • s) -+0 s. Suppose E I- ] 0 (a:A ■ s) > E'. Then 
E h a:A-s>£" and £" h T>£', by Sl-comp. Sl-cons says E h a:A 
and E h s > £1, with E" = A, El. By Sl-shift, we have E" = A, E'. 
Therefore, El = E' and E h s>E'. 

Ass: Let (51 o 52) o 53 — ><? Si o (s 2 0 53). To solve this case, we simply use 
Sl-comp twice. 

Map: Let (a:A-s)ot A[t] • (s o t). Suppose E h (a: A • s) o t > £". 
Then £ h < > £" and E" h a: A • 5 > by Sl-comp. Hence, by 
Sl-cons, E" h a : A and E" h s > El, with £' = A, El. Then 
.E 1 I- s o t > El by Sl-comp, and E h a[<] : A by Sl-clos. Finally, 
E h a[i]:A • (5 o <) > A, £1, by Sl-cons. 

MR: Let 5 o id —►< T s. This case is similar to the case for IdL. 

Id: Let a[id] a. Suppose E h a[id] : A. Then E h id > £' and 
E' h a:A by Sl-clos. Sl-id implies E' = £. Thus, £ h a:A. 

VarShift: Let 1 : A • T -^<r id. Suppose £ h 1 :yl • T > By Sl-cons, 
£ t- 1:A and £ h 1>E", with £' = A,£". Sl-var yields E = A, El, 
and Sl-shift yields El = E". Finally, by Sl-id, A, El (- id : A, El, 
that is, E : id o E'. 

SCons: Let (l:/l)[s] • (| o s) — ►<,• 5. This case is similar to the previous one. 
□ 

Together, the two lemmas immediately give us soundness: 
Proposition 4.5 (Soundness) // E hsi a: A, then E hxi o{a) : A. 

One may wonder whether a completeness result holds, as a converse to 
our soundness result. Unfortunately, the answer is no. For instance, if LI 
gives a type to a but not to b, then SI cannot give a type to l[a:A-(b:B ■ id)], 
while LI gives a type to a(\[a;A • (6:5 • id)]), that is, to a. 

However, if LI gives types to both a and b, then SI can give a type to 
l[a:A- (b:B • id)]. Conversely, if SI can give a type to l[a:A ■ (b:B • id)], 
then LI can give types to both a and b. 

These observations suggest a reformulation of the soundness and com- 
pleteness claim. Informally, one would like to show that SI can give a type 
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to a term iff LI can give a type to the normal forms of the term and of some 
subterms that a normalization discards. 

5 Second-order theories 

Type rules and typecheckers are also needed for second-order calculi. Unfor- 
tunately, the situation is more complex than at the first order, because types 
include binding constructs (quantifiers). These interact with substitutions 
in the same subtle ways in which A interacts with substitutions. (We have 
no equivalent of 0 reduction here, but this too reappears in higher-order 
typed systems.) 

In implementing a typechecker (or proofchecker) for the second or higher 
orders, we face the same concerns of efficient handling of substitution and 
correctness of implementation that pushed us from the untyped A-calculus 
to the untyped Aa-calculus. These are important concerns in typechecking 
Quest programs, for example. It is nice to discover that we can apply the 
same concept of explicit substitutions to tackle typechecking problems as 
well. 

In order to carry out this plan, we must first obtain a second-order system 
with explicit substitutions, which already incurs several difficulties. Then 
we must refine the system, and obtain an actual typechecking algorithm. 
During this long enterprise, where many steps are interesting for their own 
sake, we should keep in mind the goal of deriving an algorithm that is correct 
and close to a sensible implementation by virtue of handling substitutions 
explicitly. 

Second-order theories are considerably more complex than untyped or 
first-order theories, both in number of rules and in subtlety. The compli- 
cation is already apparent in the De Bruijn formulation of the ordinary 
second-order A-calculus (L2, below). The complication intensifies in the 
second-order A<r-calculus (S2) because of unexpected difficulties. (We have 
mentioned some of them in the informal overview.) 

We begin with a description of L2, then we define S2 and prove that it 
is sound with respect to L2. Unlike LI, L2, and even Si, the new system S2 
is not deterministic. Therefore, we also define a second-order typechecking 
algorithm S2alg, and prove that it is sound with respect to S2. 
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The syntax for the second-order A-calculus is: 



Types 



A 



Environments E 
Terms a : 



:= n \A -» B I VA 



::= nil \ A,E \ Ty, E 
:= n | AA.a | Aa j a6 | aB 

The system L2 consists of the type rules for the second-order A-calculus: 



Definition 5.1 (Theory L2) 



(L2-nil) 
(L2-ext) 

(L2-ext2) 

(L2-tvar) 

(L2-tvarn) 

(L2-tvarn2) 

(L2-tfun) 

(L2-tgen) 

(L2-var) 

(L2-varn) 



I- nil env 



h E env E h A :: Ty 



h A,2£ env 



h E env 
h Ty,£ env 



(- £ env 
Ty,£ h l::Ty 

£ h n :: Ty £ h i::Ty 
A,E \- n+1:: Ty 

£ h n::Ty 
Ty,£ H n+1:: Ty 

E h A ::Ty A,£ I- £ ::Ty 
£ h A — ► # :: Ty 

Ty,£ h ::Ty 
£ h V£ :: Ty 

£ H A :: Ty 
A,£ r- 1 : A{|} 

E r- n : £ E h A :: Ty 
A,£ r- n+1: £{?} 
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E h n:B 
Ty,E H n+1: B{\} 

A,E h b : B 
E h XA.b :A^B 

Ty, E h 6:ff 
E h A6:V5 

E \- 6(a) : 5{a:A • id} 

E \- b:VB E b- A :: Ty 
£ h b(A) : B{A::Ty ■ id} 

We now move on to the S2 system, with the following syntax: 

Types A::=l\A-+B\VA \ A[s] 

Environments E ::= nil \ A, E \ Ty, E 

Terms a ::= 1 | XA.a \ Aa | ab \ aB \ a[s] 

Substitutions s ::= id | | | a:A • s \ A::Ty -s \ sot 

In the previous section, we have seen how to formulate a first-order Xa- 
calculus (SI) by adding one closure rule and a group of substitution rules 
to the first-order A-calculus (LI). Unfortunately, this approach fails for 
second-order systems, as it would not provide a satisfactory treatment of 
definitional equality. In LI, we can simply define a let construct in terms of 
either abstraction and application, or substitution: 

let x:A = a in b = de f (Xx:A.b)a or b{a/x} 

In L2, we can accept this definition of let, and also define a Let construct 
for giving names to types, by substitution: 

Let X — A in b = def b{A/X} 

However, it is not adequate to define Let as an abbreviation for ab- 
straction and application. For instance, recall the example given in the 
informal overview: Let X = Bool in Xx:X.not(x) cannot be typed if it is 



(L2-varn2) 

(L2-lambda) 

(L2-Lambda) 

(L2-app) 

(L2-A PP ) 
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interpreted as (KX.Xx : X.not(x))Bool. Here the body of Let can only be 
typechecked by knowing that X = Bool; it does not suffice to have X::Ty. 
Thus, we must interpret Let with a substitution. 

Unfortunately, this strategy does not carry over to S2. First, we cannot 
define Let in S2 with a meta-level substitution, because the whole point of 
S2 is to deal with explicit substitutions. Second, if we define Let with an 
explicit substitution, we obtain: 

Let X — A in b = def b[(A::Ty/X) ■ id] 

and, for example, 

Let X = Bool in Xx : X.not(x) =dej (Xx:X.not(x))[(Bool::Ty/X) • id] 

We still cannot type the body of Let independently, before pushing the 
substitution into it. We are in no better shape than with the encoding of 
Let via A. Hence, it does not suffice to deal with terms and substitutions 
separately, as we did in the Sl-clos rule of the previous section. The task 
of deriving types cannot be separated from the task of applying substitu- 
tions. The rules of S2 described below are structured in such a way that 
substitutions are automatically pushed inside terms during typechecking, so 
that typing can occur as expected in the example above. The unfortunate 
side effect is a small explosion in the number of rules. We do not include an 
analogue for Sl-clos (in fact, we conjecture that it is admissible). 

After having settled on a general approach, let us discuss the form of 
judgments. The theory S2 is formulated with equivalence judgments, for 
example judgments of the form E I- a ~ b : A. This judgment means 
that in the environment E the terms a and b both have type A and are 
equivalent. We can recover the standard judgments, with definitions such 
as 

E h a : A =def E h a ~ a : A 

In S2, equivalence judgments are needed because it is not always possible 
to prove directly E h a : A, but only E h 6 : A for a term b that is 
(T-equivalent to a (as in the example above). Formally, in order to prove 
E H a ~ a : A, we first prove E I- a ~ b : A, and then use symmetry and 
transitivity. Similarly, it is not always possible to prove directly E \- a : A, 
but instead we may have to prove E h a : B for a type B that is a- 
equivalent to A, and then we need to "retype" a from B to A. 
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We have seen in section 2 how the typing axiom for 1 has to be modified. 
Similar considerations show that the rule for conses, Sl-cons, needs to be 
modified as well, and suggest the following, tentative rule: 

E h a ~ b : A[s] E h s~t>E' E H A[s] ~ B[t] :: Ty 
E h (a:A-s) Z (b:B ■ t) > A, E' 

Note that, in the hypothesis, we require that a have type A[s] rather than A: 
the reason is that A is well-formed in E' rather than in E. Furthermore, we 
require that s and t be equivalent substitutions of type E', but in truth their 
type is irrelevant. This suggests a new approach: we deal with judgments 
of the form 

E \- s ~ t substp 

where p records the length | E' | of E' . (The precise relation between envi- 
ronment lengths, and substitutions sizes, as defined in section 2, obeys the 
invariant: if E h s subst p and | s | = (m, n) then p=m + \E\-n>0.) 

In fact, we could hardly do more than keep track of the lengths of sub- 
stitutions. As the following example illustrates, the type of a substitution 
cannot be determined satisfactorily. In the tentative rule above, let E = nil, 
s = t = Bool-.-.Ty -id, a = b = true, A = 1, and B = Bool. We obtain 

nil h (true-A ■ s) ~ (true:Bool ■ t) > (l::Ty, nil) 

where we would more naturally expect the type 5oo/::Ty, nil. The informa- 
tion that 1 is Bool is not found in the environment: the substitution s has 
to be used to check that 1 is indeed Bool. It seems thus that the type of a 
substitution cannot be intrinsically defined. 

With these explanations in mind, the reader should be able to approach 
the rules of the theory S2 (though some may find it preferable to understand 
S2alg at the same time). 

Definition 5.2 (Theory S2) See appendix 7. 

We now prove the soundness of S2 with respect to L2. 

Proposition 5.3 (Soundness) 

1. If E hj 2 a ~ b : A 

then a(E) \t 2 &(a) : a(A) and a(a) = a(b). 
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2. IfE h>2 A~ B::Ty 

then o(E) V^ 2 a(A) :: Ty and a(A) = a(B). 

3. If hs2 E ~ £' env 

f/ien I-L2 o-(^) env and <r(£) = a(£')- 

^. If E \~S2 s ~ s' substp 

then there exist m and n such that 

• a(s) = d- ... • G m ■ r and a(s') = G\ ■ ... ■ G' m ■ ] n , 

• for all q < m, either G q —G" q =A::Ty and o{E) Y12 A :: Ty for 
some A, or G q = a: A, G' q = a: A', <r(A[\* o s]) = a(A'[V> o s']), 
and a(E) \~L2 a '■ ^(A[] q o 5]) for some a, A, and A', 

• p = m+ \E\ — n. 

Proof The proof is by induction on the rules of S2. We omit the checking 
of the numeric invariant in the last part of the claim. The cases for the 
EqReenving rules are trivial. The symmetric character of the claim settles 
the cases for the Symm and Trans rules, as well as that for EqRetyping. 
Other easy cases are those for rules that express typing through rewrit- 
ing, and where one of the sides of the underlying rewrite rule appears in 
the premise. This concerns EqTyClosVarld, EqTyClosPi, EqTyClosClos, 
EqClosVarld, EqClosApp, EqClosAbs, EqClosClos, EqCompId, EqComp- 
Shiftld, EqCompShiftCons, EqCompCons, EqCompComp, and their vari- 
ants (such as EqClosApp2). Now we briefly examine the remaining cases: 

EqTyVar: by the induction hypothesis and L2-tvar. 

EqTyPi: by the induction hypothesis, L2-tfun, and the observation that 
o(A -v B) = a{A) a(B). 

EqTyPi2, EqTyClosVarShift, EqVar, EqAbs, EqApp, EqClosVarShift, 
EqNil, EqExt, and their variants (such as EqTyClosVarShiftN2): sim- 
ilar to EqTyVar and EqTyPi. 

EqTyClosVarCons: by the induction hypothesis (with q = 1). 

EqTyClosVarCong: we exploit the induction hypothesis on the first 
premise. There are two cases. If m = 0, then s and s' coincide, 
and the conclusion is identical to the second premise. If m > 1 and 
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a(s) - G-Si, then G cannot have the form a: A, because we would get a 
contradiction from the induction hypothesis (on the second premise). 
Hence, G = A :: Ty, and the conclusion follows from the induction 
hypothesis on the first premise (with q = 1). 

EqClosVarCons: similar to EqTyClosVarCons, noting that a(A[s]) = 
a(A[\ o {a: A ■ s)}). 

EqClosVarCong: similar to EqTyClosVarCong, except that the second 
premise forces G to have now the other form a:A. 

Eqld, EqShift, EqShift2: since in these cases s and s' coincide and m = 0, 
the property holds vacuously for the conclusion. 

EqCons, EqCons2: by the induction hypothesis, noting that a(a:A • s) - 
a(a):a(A) ■ a(s). 

EqCompShiftCong: we exploit the induction hypothesis on the premise. 
If m = 0, then s and s' coincide, and we can use the argument of 
case Eqld. If m > 0, the conclusion follows immediately from the 
assumption, since a(] o s) = cr(si), where a(s) = G • si for some G. 

□ 

As for SI, we speculate that the soundness claim for S2 can be strength- 
ened, and that a converse completeness result then holds. 

We now provide a typechecking algorithm S2alg for the second-order 
calculus. The algorithm is formulated as a set of inference rules, for easy 
comparison with S2. As we will see, each rule of S2alg is an admissible rule 
for S2; this shows the soundness of S2alg. 

For terms that are not closures, S2alg and L2 operate identically. How- 
ever, these are the least interesting cases: an actual implementation would 
manipulate only closures (as in subsection 3.5). In order to typecheck a 
term a[s], the basic strategy is to analyze simpler and simpler components 
of a while accumulating more and more complex substitutions in 5. When 
we finally reach an index, we extract the relevant information from the sub- 
stitution or from the environment. 

Informally, the algorithmic flow of control for each rule is: start with the 
given parts of the conclusion, recursively do what the assumptions on top 
require, accumulate the results, and from them produce the unknown parts 
of the conclusion. For example, if we want to type a in the environment E, 
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we select an inference rule of S2alg by inspecting the shape of its conclusion. 
Then we move on to the assumptions of this rule, recursively; we solve 
the typing problems presented by each of them, and collect the results to 
produce a type for the original term a. 

Some of the rules involve tests for type equivalence; two auxiliary "re- 
duction" judgments are used for this: 

E h s-^-s' subst p and E h A ~» A'::Ty 

In these judgments, s' and A 1 are in a sort of weak head normal form, 
namely: s' is never a composition and if A' is a closure then it has the form 

i[T n ]- 

Definition 5.4 (Algorithm S2alg) See appendix 8. 

To show that S2alg really defines an algorithm, we first notice that only 
one rule can be applied bottom-up in each situation. For the judgments 
E h A::Ty and E h A ~» ,4'::Ty, we test applicability by cases on A; 
when A = B[s], by cases on B; and when B = 1 by cases on the reduction of 
5. For E \- a : A, we proceed by cases on a; when a = b[s], by cases on 6; and 
when b = 1 by cases on the reduction of s. For E \- s subst p , we proceed 
by cases on 5, and when s — t o u by cases on t. For E h s ~> s' subst p , 
we proceed by cases on s; when s = t o u, by cases on t; and when t = | by 
cases on the reduction of u. Finally, E h A <-+ B :: Ty is handled by cases 
on the reductions of A and B. 

The following invariants can be used to show that the algorithm considers 
all the cases that may arise when the input terms are well-typed: 

If E h 5 ~»- s' subst p then s' is one of 
id 

T n (n>l) 

a:A ■ t (for some a, A, and t) 

A::Ty • t (for some A and <) 

If £ h A — A' :: Ty then A' is one of 
1 

1[T"] (n > 1) 

B —> C (for some 5 and C) 

VB (for some 5) 
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Finally, the algorithm can be shown to always terminate, with success 
or failure, because every rule either reduces the size of terms or moves terms 
towards a normal form. 

The algorithm S2alg is sound with respect to S2: 
Proposition 5.5 

I- U E ^aig A :: Ty then E h 52 A ~ A :: Ty. 

2. If E \~s2aig a ■ A then E hs 2 a ~ a : A. 

3. If E hs2ai g s subst p then E h? 2 s ~ s subst p . 

4- If E \~s2alg s^s' subst p then E (-52 s ~ 5' subst p . 

5. If E hs2aig A -v* A' :: Ty then E \s 2 A ~ A' :: Ty. 

6. If E \~s2aig A^ A' :: Ty then E hs 2 A ~ A' :: Ty. 

7- // ^S2aig E env then \s 2 E ~ E env. 

Proof The proof is a simple case analysis, with an extensive use of the 
Symm and Trans rules. □ 

We conjecture that the algorithm is also complete, in the following sense: 

Conjecture 5.6 

1. IfE h? 2 A ~ A' :: Ty then E hs 2 ai g A :: Ty. 

2. If E \- S2 a ~ b : A 

then E \s 2alg a : A' and E \^ 2 ai g A' A :: Ty for some A . 

3. IfE s ~ s' subst p then E \~S2alg s subst p . 
4- U hs2 E ~ E env then hs 2a / ff E env. 

Unfortunately, it seems unlikely that one could simply prove the conjec- 
ture by induction on proofs (for example, the presence of A' *-+ A in the 
second part of the statement gives rise to complications). 
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6 Conclusion 



The usual presentations of the A-calculus discreetly play down the handling 
of substitutions. This helps in developing the meta-theory of the A-calculus, 
at a suitable level of abstraction. We hope to have demonstrated the benefits 
of a more explicit treatment of substitutions, both for untyped systems and 
typed systems. The theory and the manipulation of explicit substitutions 
can be delicate, but useful for correct and efficient implementations. 
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7 Appendix: Theory S2 



7.1 Type equivalence 

E h A ~ B :: Ty 



(TypeSymm) 
(TypeTrans) 
(EqTyVar) 
(EqTyPi) 
(EqTyPi2) 
(EqTyClosVarld) 
(EqTyClosVarShift) 
(EqTyClosVarShift2) 
(EqTyClosVarShiftN) 
(EqTyClosVarShiftN2) 



E h B ~ A :: Ty 



£ I- i~B::Ty £ h ^ ~ C :: T y 
E h ,4 ~ C :: Ty 



\- E env 



Ty,E h 1 ~ 1 :: Ty 

E h A ~ £ :: Ty h J~^::Ty 

£ h ,4 — ► i? ~ A' — ► 5' :: Ty 

Ty, £ j- £ ~ B> ;:Ty 
£ I- V5 ~ V£' :: Ty 

I - E env 



E h ~ i :: Ty 

£ h l::Ty E h A :: Ty 
h 1[T] ~ l[T] :: Ty 

£ h l::Ty 
Ty, E V- 1[T] ~ 1[T] :: Ty 

E I- 1[T"] :: Ty E h A :: Ty 
I- l[t n+1 ] ~ l[T n+1 ] ::Ty 

E H 1[T"] :: Ty 
Ty,£ h l[T" +1 ]::Ty 
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Eh A::Tys subst p 
(EqTyClosVarCons) - - ^.^^^ 



(EqTyClosVarCong) 

(EqTyClosPi) 

(EqTyClosPi2) 

(EqTyClosClos) 

(EqTypeReenving) 



E h a ~ s' subst p E h l[g] :: Ty 
£ I- l[s] ~ l[s'] :: Ty 

£ h A[s] -> B[l:A.(s o T)] :: Ty 

£ h (A — ► 5)[s] ~ -f 5[1:A • (a o |)] :: Ty 

£ I- V(^[l::Ty( a oT)])"Ty 
£ h (V5)[a]~V(fi[l::Ty(5oT)])::Ty 

£ I- A[s o t] :: Ty 



E H ~ A[s o t] :: Ty 

E V- A ~ 5 :: Ty h £ ~ E' env 



E' h A ~ B :: Ty 



7.2 Term equivalence 

E h a ~ b : A 



(TermSymm) 
(TermTrans) 
(EqVar) 
(EqAbs) 
(EqAbs2) 



E h b ~ a : A 

£ h a ~ 6 : A £ h 6 ~ c : A 
£ h a ~ c : A 

£ h A::Ty 
A,£ h 1 ~ 1 : A[T] 

£ 1- A~A' ::Ty A,£ h i~V:,B 
£ I- AA.6 ~ AA'.fc' : A -» B 

Ty, £ h 6 ~ 6' : B 



E \- Ab ~ A6' : Vfl 
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(EqApp) 

(EqA PP 2) 

(EqClosVarld) 

(EqClosVarShift) 

(EqClosVarShift2) 

(EqClosVarShiftN) 

(EqClosVarShiftN2) 

(EqClosVarCons) 

(EqClosVarCong) 

(EqClosAbs) 

(EqClosAbs2) 

(EqClosApp) 



E\-b~V;A-+B E h a ~ a ' ; A 
E h b{a) ~ b'(a') : B[a:A ■ id] 

E h b~b' : V£ E h A ~ A' :: Ty 
£ h 6(4) ~ i'(A') : £[A::Ty • id] 

E h 1 : A 
E \- l[id] ~ 1 : 4 

£ I- 1 : A £ I- :: Ty 
5,£ h 1[T] ~ 1[T] : A[T] 

E h 1 : A 

Ty,£ h 1[T] ~ 1[T] : A[\] 

E h 1[T] : A £ K B :: Ty 
£,£ h l[r +1 ]~ l[T n+1 ]:A[T] 

£ f- 1[T"] : A 

Ty,£ h l[T n+1 ] ~ 1[T" +1 ] : A[}] 

E h a:A • s subst p 
E H l[a:A-s] ~ a : A[s] 

E \- l[s] ~ : A 

£ I- Ai4[a].6[l:yj-(ao T)] : £ 
£ h (Ai4.6)[«]~ XA[s].b[l:A-{so])] B 

E h A(b[l::Ty ■ (s o ])) : B 
E \- (A6)[a]~A(6[l::Ty-(aof)]) : .0 

£ h (feM)(aM) : A 
£ h 6(a)[«] ~ (6[*])(a[s]) : A 
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(EqClosApp2) 



E h (b[s])(A[s}) : B 



E H b(A)[s) ~ (&[*])( AM) : 5 



(EqClosClos) 
(EqRetyping) 
(EqTermReenving) 



£ h o[«ot]:i 



£ h a[a][f] ~ a[s o t] : A 

E h a~b: A E \- A~ B ::Ty 
E h a~b: B 

E V- a~b: A \- E ~ E' env 
E' H a ~ 6 : A 



As in SI, we do not include Beta rules in S2: 

E\-a:A A,E V b: B 



(Beta) 



E h (\A.b)(a) ~ 6[a:A ■ id] : B[a:A ■ id] 



E h A ::Ty Ty,E h 6 : 
( Beta2 ) £ I- (A6)(A) ~ 6[A::Ty • id] : B[A::Ty • id] 



7.3 Substitution equivalence 

E h 5 ~ < subst. 



(SubsSymm) 
(SubsTrans) 
(Eqld) 

(EqShift) 
(EqShift2) 



£ H < ~ s subst. 



E h 5 ~ < subst. 



E h i ~ w subst. 



E h 3 ~ u subst. 



h 2? enu 







id ~ 


id 5u6s£|£;| 






£ (- 


A ::Ty 


A, 




H T 








H 





Ty, E \- T ~ T su6«<|E| 
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(EqCons) 

(EqCons2) 

(EqCompId) 

(EqCompShiftld) 

(EqCompShiftCons) 

(EqCompShiftCons2) 

(EqCompShiftCong) 

(EqCompCons) 

(EqCompCons2) 

(EqCompComp) 

(EqSubstReenving) 



E \- s ~ t subst p E h A[s) ~ B[t] :: Ty 

E V- a ~ b:A[s] 

E \- a:A • s ~ b:B ■ t subst p +i 

E \- A~ B ::Ty E \- s ~ t subst p 
E h A::Ty ■ s ~ B::Ty • t subst p+1 

E h s ~ s' subst p 
E h ido s ~ s' substp 

E h | substp 
E h T 0 *d ~ T s«6s^p 

i? H f 0 (a:^ • s) ~ s' subst p 

E \- s ~ s' substp E h A :: Ty 
£ h fo (A::Ty ■ a) ~ «' su6st p 

£ h t°5~T°5' substp 

E h a[i]:A • (a o <) subst p 
E h (a:i4 • 5) o * ~ a • (s o 2) substp 

E j- i4[t]::Ty (jof) su6s* p 

£ h (i4::Ty«)ot~yi[t]::Ty(«of) su&si p 

£ h s o (t o u) substp 
E h fi o o « ~ « o (( o u) subst p 

E h s ~ t substp \- E ~ E' env 
E' h s ~ < subst p 
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7.4 Environment equivalence 



(EnvSymm) 

(EnvTrans) 

(Eqnil) 

(EqExt) 

(EqExt2) 



\- E ~ E' env 
H E' ~ E env 



h E~E' 



env 



h E' ~ £" enu 



I- E ~ E" env 



h m7 ~ nt7 enw 



h £ ~ £' env E \~ A ~ B :: Ty 
\- A,E ~ B,E' env 



h E ~ E' env 



(- Ty, £ ~ Ty, E' env 
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8 Appendix: Algorithm S2alg 
8.1 Inference for types 



(TyVar) 

(TyPi) 

(TyPi2) 

(TyClosVarld) 

(TyClosVarShift) 

(TyClosVarShift2) 

(TyClosVarShiftN) 

(TyClosVarShiftN2) 

(TyClosVarCons) 

(TyClosVarCong) 



I- E env 
Ty,E \- 1 ::Ty 

E h A ::Ty A,E h B :: Ty 

E \- A B :: Ty 

Ty,£ h £::Ty 
£ h- VB :: Ty 

Ty, £ I- id s ubst p 
Ty,£ I- 1[ S ] ::Ty 

£ h l::Ty £ h i::Ty 
A,£ h l[T]::Ty 

Eh 1 :: Ty 
Ty,£ 1- l[T]::Ty 

E \- l[t n ] ::Ty £ I- i:: Ty 
A,E h l[T n+1 ]::Ty 

£ h l[T n ] :: Ty 
Ty,£ I- l^ 1 ] ::Ty 

gJl_^ ^::Ty • t subst p 
E \- l[s] :: Ty 

E h 5^| n subst p E h l[T n ] :: Ty 
E h :: Ty 
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(TyClosPi) 
(TyClosPi2) 
(TyClosClos) 



E \- A[s] :: Ty 
A[s],E h fl[l:A-(»T)] ::Ty 
E \- (A —> B)[s] :: Ty 

Ty,E h J[l:;Ty(aoT)]::Ty 
£1- (1B)[s] :: Ty 

£ h 4[so t] :: Ty 



£ h A[s][t] :: Ty 
8.2 Inference for terms 



(Var) 

(Abs) 

(Abs2) 

(App) 

(A PP 2) 



E h A :: Ty 
A,£ h 1:A[T] 

£ h A::Ty A, £ I- b : B 
E h AA.6 : A -> B 

Ty,E h b:B 



E h A6:Vfl 

E h 6 : A -> J3 £ h a : A 
£ h 6(a) : 5[a:A • id] 

E Y- b:VB E h A :: Ty 
£ h 6(A) : £?[A::Ty • id] 



_ A, E \- s-^id subst v 

( closVarId ) A,£h IRTAlf] 

£ h 1 : A £ h 5::Ty 

(O-v-ShHt) OTiMTxifl 



(ClosVarShift2) 



E h 1 : A 



Ty,£ h 1[T] : A[T] 
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(ClosVarShiftN) 
(ClosVarShiftN2) 



(ClosVarCong) 

(ClosAbs) 

(ClosAbs2) 

(ClosApp) 
(ClosApp2) 
(ClosClos) 



E H l[t n ] : A E h B :: Ty 
B,E h l[| n+1 ] : A[T] 

E h l[T n ] : A 
Ty,£ h l[T" +1 ] : A[1] 



*7 ^ x £ I- s~>a:A-£ subst v 
(ClosVarCons) — — — 



E h l[s] : A[t] 

E h 5 ^> t n sm6s< p £ h l[T n ] : A 
E h l[s] : A 

A[s],£ h b[l: A-(sol)]: B 
E h (AA.6)[s] : A[s] -» 5 

Ty,£ h 6[l;:Ty (a o T)] :£ 
£ 1- (A6)[a] : V5 

£ I- : A—> B E h a[s] : A' 

£ h A «->■ A' :: Ty 

E h (6(a))[s] : £[a[s] : A ■ id] 

E h b[s] : Vfl £ h A[s] :: Ty 
£ h (b(A))[s]:B[A[s]::Tyid} 

E h a[s o t] : A 



E h a[s][t] : A 
8.3 Inference for substitutions 

h E env 



(Id) 



E h id su6s<|£;| 



(Shift) £M::Ty 



A, jB H T subst\£\ 
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(Shift2) 



h E env 



Ty,E h t subst\ E \ 



E \- a: B 



E h 5 subst T 



(Cons) 

(Cons2) 

(Compld) 

(CompShift) 

(CompCons) 

(CompCons2) 

(CompComp) 



E h A[s] ~ £ :: Ty 
E h a : A • s subst p +i 

E h A :: Ty £M-j? gufcaf,. 
£ I- A::Tys substp+i 

E (- s subst„ 



E H id o 5 subst v 

E \- s subst p+ i 
E H T 0 -s subst p 



E h a[i] : A • (a o *) subst p 
E h (a : A • s) o J subst p 

E h A[<]::Ty -(sot) su6sf p 
£ I- (A::Ty-s)ot su6s* p 

£ h 5 o (< o u) substp 
E I- (sol)on subst p 



8.4 Substitution reduction 



(Redid) 

(RedShift) 

(RedShift2) 



I- E env 



E 


h 


id ~» id subst\g\ 






E h A :: Ty 


A, 


E 








1- £ env 



Ty, E h f -n* T subst m 
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(RedCons) 



E h A[s] :: Ty E \- a : B 
E \- B ~ A[s] :: Ty E h s subst p 
E \- a : A ■ s a : A • s subst p+ i 



(RedCons2) E h A :: Ty £ h 3 subst r> 

E h A::Ty • s ~> A::Ty ■ s subst p+1 



(RedCompId) 



E h s -v* s' substp 
E h ido s ^ s' subst p 



(RedCompShiftld) ^ - 3 ~ f<f S " 6 ^ 



(RedCompShiftShiftN) 



(RedCornpShiftCons) E h f! - S " Subst r> 



E h | o s ^ | substp 

E h 5-^-1" subst p+ i 
E \- T o 5 ^ T n+1 suforf p 

£ (- a a : /I • a' su6sf p+1 

£ I- | o s ^* s" substp 



E \- s~-* A::Ty • s' subst p+ i 

(RedCompShiftCons2) - h S ' ^ S " Subst » 

E h t o s -s* s" su6s£ p 

(RedCompCons) g h a M • ^ • <> 0 ^st p 

E \- (a : A ■ s) o t ~> a[t] : A • (ji o <) suis* 



p 



(RedCompCons2) E h ^W-Ty^oQ substp 

E \- (A::Ty ■ s) o t ^ A[t]::Ty (s o t) substp 



(RedCompComp) 



E h so((ou)^D substp 
E h (so<)ou-n>v substp 
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8.5 Type reductions 

I- E env 



(RedTyVar) 
(RedTyPi) 
(RedTyPi2) 
(RedTyClosVarld) 
(RedTyClosVarShiftN) 

(RedTyClosVarCons) 

(RedTyClosPi) 



Ty,E H W 1 ::Ty 

E h A ::Ty A,E h B ::Ty 
E h A-* B ^ A^ B ::Ty 

Ty,E h 5 ::Ty 



£ I- VB^VB:: Ty 
Ty, £ h s ~> id subst p 



Ty,E \- l[s}^ 1 ::Ty 

E h a^»t" g"^ P g H l[T"]::Ty 
£ h l[s] ~ 1[T»] " Ty 

.E I- s ~* A::Ty • s' subst p 
E h A[s'] ~ B :: Ty 
£ I- ~> 5 :: Ty 

E h A[s] :: Ty 

A[s],E H :4-(got)]"Ty 

£ h (A - — A[s] — ► J5[l : A - (so ])] :: Ty 



rv at n p<^ Ty,£ h i?[l::Ty • (5 o T)] :: Ty 

(RedTyClosPi) £ - (V5)[s] _ V (i?[l::Ty • (, o T )]) :: Ty 



(RedTyClosClos) 



E h A[s ot}-^ B::Ty 



E h yi[a][<] ~> 5 :: Ty 
8.6 Type equivalence 



£ h A^l::Ty E h A' ~> 1 :: Ty 
(E<lTyVar) £ h A~A'::Ty 
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(EqTyPi) 

(EqTyPi2) 
(EqTyClos) 



E K A -n* B -»■ C :: Ty 
£ h A' ~> 5' — ► C :: Ty 
£ h S « 5' :: Ty 
£,£ h C ~ C" :: Ty 
£ h A ~ A' :: Ty 

£ h A -s* V5 :: Ty £ h A' ~> VJB' :: Ty 

Ty, Jg h B ~ B' :: Ty 

£ h A ~ A' :: Ty 

E \- l[T n ] :: Ty E h A'-v> l[T n ] :: Ty 

E h A ~ A' :: Ty 



8.7 Inference for environments 

(Nil) h nil env 

,„ ^ H E env E h A :: Ty 

(Ext) ■ — — — 

v 7 I- A,E env 



/x-, hi? enu 

(Ext2) — — ■ — 

v ' h Ty,£ env 
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